At 9:34PM UTC on January 27, 2022, a bad actor started their exploit of Qubit Finance’s Ethereum (ETH) to Binance Smart Chain (BSC) bridge.
As noted in an update from CertiK, this particular exploit “ended up netting them 77,162 qXETH ($185 million), which they then used to borrow and convert 15,688 wETH ($37.6 million), 767 BTC-B ($28.5 million), approximately $9.5 million in various stablecoins, and ~$5 million in CAKE, BUNNY, and MDX.”
At $80 million TVL (Total Value Lost), this is “by far the largest exploit of 2022 to date,” the team at blockchain security firm CertiK revealed.
Who’s the Target?
Qubit Finance calls itself “a decentralized money market platform that takes advantage of the speed, automation, and security of the blockchain to connect lenders and borrowers efficiently and securely.”
In addition to lending and borrowing services, Qubit Finance reportedly operates an Ethereum-BSC bridge. It was this bridge that was “the target of the exploit,” the team at CertiK reports.
They explained that a bridge in crypto is like “a piece of infrastructure that connects two (or more) blockchains.” In the case of Qubit Finance’s bridge, clients need to deposit their ERC-20 tokens to the bridge and “receive BEP-20 tokens in return, which you are then free to go and use on Binance Smart Chain.”
How Did This Happen?
As noted by CertiK:
“What the attacker did is take advantage of a logical error in Qubit Finance’s code that allowed them to input malicious data and withdraw tokens on Binance Smart Chain when none were deposited on Ethereum.”
All this occurred, even though there had been several fail safes. (Note: for a more technical explanation/breakdown, check here.)
What Have We Learned?
As of the time of publication, the attacker’s address still “holds approximately $80 million of stolen assets.”
As noted by CertiK, the exploit of a cross-chain bridge highlights two things: the “importance of cross-chain bridges that facilitate interoperability between blockchains.” It also emphasized the “importance of the security of these bridges.”
As we move from an Ethereum-dominant world to a more multi-chain ecosystem, bridges will only become more relevant, according to industry experts and CertiK.
Consumers need to move funds from one blockchain to another, but they also “need to do so in ways that are not susceptible to hackers who can steal more than $80 million dollars.”